darkcomet | 491544e52e7cc8c4260647abcb38138c21e34406d4e553936c5e1be8931c0099 | Triage

Submit
Reports

Overview

overview

Static

static

491544e52e...99.exe

windows7_x64

491544e52e...99.exe

windows10_x64

Sharing

General

Target

491544e52e7cc8c4260647abcb38138c21e34406d4e553936c5e1be8931c0099
Size

821KB
Sample

210516-864qesg2zs
MD5

d9b36a4b92a93b667270722827c7d303
SHA1

cfaec9d1e7557c483a3415fb4496735c6da181dc
SHA256

491544e52e7cc8c4260647abcb38138c21e34406d4e553936c5e1be8931c0099
SHA512

11299d1e2388e7132e47dfb2b72cc1a98a92ecb29500082c763f237f2f4f023fb650af7901e6402889fd9a014e55cd4d30464740839f53cdd05f85a65a1ff665

Score

10^/10

darkcomet evasion persistence rat trojan

Static task

static1

Behavioral task

behavioral1

Sample

491544e52e7cc8c4260647abcb38138c21e34406d4e553936c5e1be8931c0099.exe

Resource

win7v20210410

darkcomet evasion persistence rat trojan

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

491544e52e7cc8c4260647abcb38138c21e34406d4e553936c5e1be8931c0099.exe

Resource

win10v20210408

darkcomet evasion persistence rat trojan

windows10_x64

0 signatures

0 seconds

Malware Config

Targets

- Target
  
  491544e52e7cc8c4260647abcb38138c21e34406d4e553936c5e1be8931c0099
- Size
  
  821KB
- MD5
  
  d9b36a4b92a93b667270722827c7d303
- SHA1
  
  cfaec9d1e7557c483a3415fb4496735c6da181dc
- SHA256
  
  491544e52e7cc8c4260647abcb38138c21e34406d4e553936c5e1be8931c0099
- SHA512
  
  11299d1e2388e7132e47dfb2b72cc1a98a92ecb29500082c763f237f2f4f023fb650af7901e6402889fd9a014e55cd4d30464740839f53cdd05f85a65a1ff665
Score

10^/10

darkcomet evasion persistence rat trojan
- Darkcomet
  DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
  trojan rat darkcomet
- Modifies WinLogon for persistence
  persistence
- Modifies firewall policy service
  evasion
- Modifies security service
  evasion
- Windows security bypass
  evasion trojan
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file to hidden
  Modifies file attributes to stop it showing in Explorer etc.
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

Modify Existing Service

Hidden Files and Directories

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Disabling Security Tools

Hidden Files and Directories

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

darkcometevasionpersistencerattrojan

behavioral2

darkcometevasionpersistencerattrojan

© 2018-2024

Terms | Privacy